Wednesday, May 23, 2007

Golly, now it's getting personal. IndymacBank isn't just a lending giant with $1.34 billion in revenue - they also hold the mortgage to my house. And in addition to my monthly payment reminder in May, this month they also sent over a little something extra:

Gosh, and all this time I thought they only cared about the size of my check. Who knew?

But should we blog about them we asked ourselves? This particular run lasted only 44 minutes, on the 21st of May. And prior to that Indymac was clean for 80 days - not a single sign of bot activity. Could be a sign of an excellent effort.

But... wait, this wasn't the only incident - we spotted a second occurrence on the 1st of March which blasted stock spam for 1 hour 16 minutes, and a third on February 27th pumping pharmaceuticals and stocks for a similarly brief amount of time.

So what gives?

All this garbage came from a single IP address: 65.214.149.253, routed by ASN 19347, and showing no reverse DNS. We get a fair amount of marketing mail from Indymac via 63.251.196.251, obb.indymacbank.com, and other mail from 70.42.8.249, smtpout002.indymacbank.com, but never anything bot related and both look like completely legitimate senders.

So, as the guy with his personal information at this bank, including my social security number, income details, and event the square footage of my bathroom, It bothers me that some unknown host on their corporate network is controlled by a third party over which they exert no legal or operational control.

And though I'm hoping that what this evidence shows is a very diligent sec-ops team hard at work shutting down the bots as soon as they pop up, my concern is I have no idea if that's really the case. Is this a single host that's been hacked since February 27th, possibly datamining, and password sniffing the whole time? Or is this three separate incidents, each of which was stamped out within an hour or so? Even if this best case scenario is true - how do I know these systems weren't hacked long before they ever started spewing spam? How do I know I'm safe if they can't even stop themselves from sending out photos of smiling young ladies touting two foot phalli? Does it get anymore outrageous?

People - this is a bank. Think about it...

But what's the point? Is it that Indymac are bad guys? No. Is it that the internet is a scarry place? Sort of. Is it that I need to be concerned about my personally identifiable information. Absolutely.

The whole point of this blog is to raise awareness about the Botwar going on - a war raging around us as we speak. We can smile and laugh about penis spam, but the fact is that millions of carjacked computers, controlled by criminal third parties are doing god knows what 24/7, inside our homes, our hospitals, our government offices, our corporations, and even inside our banks. And in this case, inside my bank.

Our goal is not to make these hard working sec-ops folks look bad, but instead to help raise awareness with their CIO's, CEO's, and even the general public, so they can get the funding and support they need to fight this problem. It's raging around us. It's a predatory criminal activity making victims of many organizations. We can stick our heads in the sand or we can fight it.